CVE-2025-59430 HIGH

CVE-2025-59430: Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink

Vendor Frontfin
Product mesh-web-sdk
Weakness CWE-79 · XSS
Published September 22, 2025
Last update September 22, 2025
View on NVD All CVEs

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

What the vulnerability does

01Description

Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically indistinguishable from a real page at the rendering level and allows access to the parent page DOM, storage, session, and cookies. If the attacker can specify customIframeId, they can hijack the source of existing iframes. This issue has been patched in version 3.3.2.

Key dates

02Disclosure timeline

September 22, 2025 CVE published
September 22, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-11894 The Permalinker <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-8084 SourceCodester Online Computer and Laptop Store Setting SystemSettings.php cross site scripting CVE-2023-28933 WordPress Call Now Accessibility Button Plugin <= 1.1 is vulnerable to Cross Site Scripting (XSS) CVE-2023-25716 WordPress Announce from the Dashboard Plugin <= 1.5.1 is vulnerable to Cross Site Scripting (XSS) CVE-2023-27426 WordPress NotifyVisitors Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)